Wireless building automation networks in the sense of the invention are networks used to connect building technology devices forming the network nodes, for example lighting means (such as lamps), sensors (such as light sensors, movement/motion sensors, acoustic sensors, optical sensors, . . . ) and actors (e.g. for controlling window blinds), and/or other controls (equipment such as switches, interrupters, e.g. for controlling lights).
While the invention primarily relates to wireless building automation networks and building technology devices, the principles of this invention can also be used in other fields.
Traditionally, networked building technology devices are connected by and to field busses.
In these traditional setups, no explicit identity management is required and no issues arise concerning the ownership of the connected devices and how they can trust each other. On a field bus, the common assumption is that any device connected to the bus can fully be trusted. It is hence assumed that a device connected to the bus does not lie about its identity and that the ownership of the device is not a problem as, once it is connected to the bus, full ownership over the device is assumed.
In wireless networks, however, there is no wired channel to which the devices can be connected and hence the common model for trusting devices, for assuming ownership and for assuring identity cannot be applied.
Nevertheless in wireless networks the ownership of network nodes still needs to be defined, the identity of the devices connected to the network has to be assured and it needs to be determined which devices can be trusted. Especially, the ownership problem, which the invention implicitly addresses, arises when a wireless network overlaps with another wireless network where both should be separated, i.e. determining whether a specific network node NWN,1 belongs to or is allowed in a specific wireless network.
For example, it is required to prevent devices not belonging to the network from listening in (“eavesdropping”) and manipulating network communication.
If such a malicious device would be placed in a company building, an attacker could be able to control building technology devices (lights, doors, . . . ) or may be able to access other secret information.
The invention also targets the commissioning problem, which relates to securely performing an initial setup of the wireless network and the network nodes. One aim of the invention is provide commissioning procedures, which can easily be integrated in the commissioning process.
There are well known technologies available, which can be used to securely communicate in a wireless network. One of these technologies is public/private-key encryption.
Here, the problem of exchanging public keys arises. If the public keys would be exchanged over the wireless network, the communication paths can be intercepted easily and a third party may read a public key and could exchange it with a malicious public key in an effort to perform a man in the middle attack. Therefore, additional security measures are required in wireless networks to perform the exchange of public keys.
Prior art approaches such as e.g. “ZigBee Smart Energy” require installation of a private/public key pair with an additional certificate in the network nodes when the respective node is produced (“manufacture install certificate”). A certificate is a public key signed by an independent, trusted third party, a “certificate authority”. In case a customer wishes to add a network node (e.g. a sensor) to the network later, the customer contacts the producer or vendor of the network node and goes through an IT process and cryptographic protocol also involving the certificate authority. In the end the customer's trust center (network management node) securely receives and trusts the new network node and vice versa.
The invention can establish trust between network nodes and trust center without relying on third parties (certificate authority, producer, and vendor).